Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel

​Microsoft Defender for IoT enables you to secure your entire OT and Enterprise IoT environment, whether you need to protect existing devices or build security into new innovations.

Microsoft Sentinel and Microsoft Defender for IoT help to bridge the gap between IT and OT security challenges, and to empower SOC teams with out-of-the-box capabilities to efficiently and effectively detect and respond to security threats. The integration between Microsoft Defender for IoT and Microsoft Sentinel helps organizations to quickly detect multistage attacks, which often cross IT and OT boundaries.

This connector allows you to stream Microsoft Defender for IoT data into Microsoft Sentinel, so you can view, analyze, and respond to Defender for IoT alerts, and the incidents they generate, in a broader organizational threat context.

In this tutorial, you will learn how to:

• Connect Defender for IoT data to Microsoft Sentinel
• Use Log Analytics to query Defender for IoT alert data

Prerequisites

Before you start, make sure you have the following requirements on your workspace:

• Read and Write permissions on your Microsoft Sentinel workspace. For more information, see Permissions in Microsoft Sentinel.

• Contributor or Owner permissions on the subscription you want to connect to Microsoft Sentinel.

• A Defender for IoT plan on your Azure subscription with data streaming into Defender for IoT. For more information, see Quickstart: Get started with Defender for IoT.

Connect your data from Defender for IoT to Microsoft Sentinel

Start by enabling the Defender for IoT data connector to stream all your Defender for IoT events into Microsoft Sentinel.

To enable the Defender for IoT data connector:

1. In Microsoft Sentinel, under Configuration, select Data connectors, and then locate the Microsoft Defender for IoT data connector.

2. At the bottom right, select Open connector page.

3. On the Instructions tab, under Configuration, select Connect for each subscription whose alerts and device alerts you want to stream into Microsoft Sentinel.

   If you've made any connection changes, it can take 10 seconds or more for the Subscription list to update.

For more information, see Connect Microsoft Sentinel to Azure, Windows, Microsoft, and Amazon services.

View Defender for IoT alerts

After you've connected a subscription to Microsoft Sentinel, you'll be able to view Defender for IoT alerts in the Microsoft Sentinel Logs area.

1. In Microsoft Sentinel, select Logs > AzureSecurityOfThings > SecurityAlert, or search for SecurityAlert.

2. Use the following sample queries to filter the logs and view alerts generated by Defender for IoT:

   To see all alerts generated by Defender for IoT:

   Kusto

   SecurityAlert | where ProviderName == "IoTSecurity"
   

   To see specific sensor alerts generated by Defender for IoT:

   Kusto

   SecurityAlert
   | where ProviderName == "IoTSecurity"
   | where tostring(parse_json(ExtendedProperties).SensorId) == “<sensor_name>”
   

   To see specific OT engine alerts generated by Defender for IoT:

   Kusto

   SecurityAlert
   | where ProviderName == "IoTSecurity"
   | where ProductComponentName == "MALWARE"
   
   SecurityAlert
   | where ProviderName == "IoTSecurity"
   | where ProductComponentName == "ANOMALY"
   
   SecurityAlert
   | where ProviderName == "IoTSecurity"
   | where ProductComponentName == "PROTOCOL_VIOLATION"
   
   SecurityAlert
   | where ProviderName == "IoTSecurity"
   | where ProductComponentName == "POLICY_VIOLATION"
   
   SecurityAlert
   | where ProviderName == "IoTSecurity"
   | where ProductComponentName == "OPERATIONAL"
   

   To see high severity alerts generated by Defender for IoT:

   Kusto

   SecurityAlert
   | where ProviderName == "IoTSecurity"
   | where AlertSeverity == "High"
   

   To see specific protocol alerts generated by Defender for IoT:

   Kusto

   SecurityAlert
   | where PProviderName == "IoTSecurity"
   | where tostring(parse_json(ExtendedProperties).Protocol) == "<protocol_name>"
   

Huomautus

The Logs page in Microsoft Sentinel is based on Azure Monitor's Log Analytics.

For more information, see Log queries overview in the Azure Monitor documentation and the Write your first KQL query Learn module.

Understand alert timestamps

Defender for IoT alerts, in both the Azure portal and on the sensor console, track the time an alert was first detected, last detected, and last changed.

The following table describes the Defender for IoT alert timestamp fields, with a mapping to the relevant fields from Log Analytics shown in Microsoft Sentinel.

Defender for IoT field	Description	Log Analytics field
First detection	Defines the first time the alert was detected in the network.	StartTime
Last detection	Defines the last time the alert was detected in the network, and replaces the Detection time column.	EndTime
Last activity	Defines the last time the alert was changed, including manual updates for severity or status, or automated changes for device updates or device/alert de-duplication	TimeGenerated

In Defender for IoT on the Azure portal and the sensor console, the Last detection column is shown by default. Edit the columns on the Alerts page to show the First detection and Last activity columns as needed.

For more information, see View alerts on the Defender for IoT portal and View alerts on your sensor.

Understand multiple records per alert

Defender for IoT alert data is streamed to the Microsoft Sentinel and stored in your Log Analytics workspace, in the SecurityAlert table.

Records in the SecurityAlert table are created each time an alert is generated or updated in Defender for IoT. Sometimes a single alert will have multiple records, such as when the alert was first created and then again when it was updated.

In Microsoft Sentinel, use the following query to check the records added to the SecurityAlert table for a single alert:

kql

SecurityAlert
|  where ProviderName == "IoTSecurity"
|  where VendorOriginalId == "<Defender for IoT Alert ID>"
| sort by TimeGenerated desc

Updates for alert status or severity generate new records in the SecurityAlert table immediately.

Other types of updates are aggregated across up to 12 hours, and new records in the SecurityAlert table reflect only the latest change. Examples of aggregated updates include:

• Updates in the last detection time, such as when the same alert is detected multiple times
• A new device is added to an existing alert
• The device properties for an alert are updated

Next steps

The Microsoft Defender for IoT solution is a set of bundled, out-of-the-box content that's configured specifically for Defender for IoT data, and includes analytics rules, workbooks, and playbooks.

Install the Microsoft Defender for IoT solution